German, Executives

German Executives Face Personal Liability as NIS-2 Compliance Deadline Extended

Veröffentlicht: 08.07.2026 um 03:12 Uhr, Redaktion boerse-global.de

Germany extends NIS-2 registration to July 2026 as over a third of firms miss deadline. Experts warn many are still non-compliant, with management facing personal liability and fines up to €10M.

NIS-2 Deadline Extended: Germany's Cybersecurity Law Compliance Gaps
German - German Executives Face Personal Liability as NIS-2 Compliance Deadline Extended 08.07.2026 - Bild: über boerse-global.de

More than one-third of Germany’s expected 29,500 companies subject to the new NIS-2 cybersecurity law have yet to register, prompting the Federal Office for Information Security (BSI) to push the deadline to 31 July 2026. But experts warn that even those who have met the registration requirement may be far from compliant—and top management is personally on the hook.

Under the NIS-2 Implementation Act, which came into force on 6 December 2025, “important” and “especially important” institutions must register with the BSI. By the end of May, only 18,500 had done so. Missing the new deadline carries fines of up to €500,000.

Yet registration is just the start. Christoph Neukam, a consultant at service provider Axians, warns that many registered companies still lack the operational readiness to respond to a real incident. “Frequently missing are tested procedures, clear escalation chains, or incident-response processes,” he says. That gap matters because the law imposes a tiered reporting system: an initial alert to the BSI within 24 hours, a detailed follow-up after 72 hours, and a final report within one month.

Similar timelines apply under the DORA regulation for financial firms, and under the GDPR for breaches involving personal data, where the 72-hour notice to supervisory authorities already holds.

C-suite accountability hits new heights

NIS-2 frames IT security as a management and governance responsibility. Company boards must oversee risk-management measures, undergo regular training, and can be held personally liable for failures. Industry bodies such as the Regensburg Chamber of Commerce and Industry are running seminars on the risks.

The sanctions are severe. Violations of core security obligations can result in fines of up to €10 million or 2% of global annual turnover. In Poland, penalties are even steeper—up to 300% of a manager’s annual salary.

Security spending surges amid rising threats

The regulatory pressure is translating into market growth. German IT security spending is forecast to hit €12.2 billion in 2026, an increase of 9.9%. The driver: an intensifying threat landscape. In the first quarter of 2026, 86% of phishing attacks were AI-powered. Ransomware losses have climbed 358% since 2019.

Operational technology (OT) security—protecting production environments—poses a particular challenge. Here, system availability trumps data confidentiality, yet more than half of critical infrastructure (KRITIS) operators still lack adequate attack-detection systems. Meanwhile, the daily number of newly discovered vulnerabilities has risen by 24%.

Austria is also tightening rules: from 2026, companies with more than 50 employees or over €10 million in revenue must conduct a risk analysis.

Experts advise affected businesses to complete registration by the end of July, address supply-chain risks, and roll out basic technical measures such as network segmentation and multi-factor authentication across the board.

en | boerse | 69718616 |